On 7/21/2011 12:27 PM, Scott Ferguson wrote:
> On 07/20/2011 10:39 AM, Aaron Freeman wrote:
>> I'd like to disabled the HTTP CONNECT method. I don't know the best
>> way to do that, but I tried this and it's not working:
>>
>> <resin:Forbidden regexp='.*'>
>> <resin:IfMethod value="CONNECT"/>
>> </resin:Forbidden>
>>
>> The request is passed on and I receive a 200 OK response when I telnet
>> and test the CONNECT.
>>
>> What is the most efficient way to get Resin to deny those requests?
> That config works for me. (You don't need the regexp if you're matching
> everything, but it doesn't matter for this issue.)
>
> There is the<resin:Forbidden> tag?
>
> -- Scott
>

Advertising

The config doesn't bomb, but in resin-pro-4.0.18 when I run this:
> telnet localhost 80
then
CONNECT http://localhost/ HTTP/1.0
I then get the home page and a 200 OK, instead of a 403 FORBIDDEN.
You are able to get it to throw an appropriate HTTP 403?
Thanks,
Aaron
_______________________________________________
resin-interest mailing list
resin-interest@caucho.com
http://maillist.caucho.com/mailman/listinfo/resin-interest